Published Nov 12, 2009 at 6:55 PM ESTEdits:10/6/2010 12:31 AM EST – Added section “Non-Sequitar: Windows Cache Poisoning Settings and Recursion Settings.” This was in response to a discussion associating recursion and cache poisoning that I wanted to add to clear up.

The Definition Between Recursive and Iterative Queries Actually Depends on Context, Such as Which Machine is Asking the Query.

The reason why I mentioned this is because basically a recursive query means the machine sends the query, such as a client machine, or even a DC, to a DNS server for resolution, and the DNS server will resolve the query based either on a zone that has been confgured locally (in its Forward Lookup Zones or Reverse Lookup Zones), or from a Stub zone, Root Hints, General Forwarder or Conditional Forwarder.

Therefore, in summary, a recursive name queries are generally made by a DNS client to a DNS server, or by a DNS server that is configured to pass unresolved name queries that it does not host the zone, to another DNS server, whether through a Stub, Conditonal or General Forwarder.

Interative queries is a request from a client that tells the DNS server that the client expects the best answer the DNS server can provide immediately, without contacting other DNS servers, whether it has the zone configured or not. The process then relies on the client to continue the process possibly by using a referral where the DNS server supplying the client NS or A records of a DNS server that is closer to the namespace which may possibly provide the answer. However we don’t see that with the normal sense of the word, ‘query,’ when a client sends a request to a DNS server, which we are more familiar with. For the most part, the DNS resolver service on Windows clients are basically ‘stub resolvers’ that rely on a recursive-enabled DNS server to resolve queries it is not aware of. Of course you can create resolver scripts to preform an interative query.

However, with a recursion request from a client to a DNS server, which as I mentioned above, is what we normally think of using the term ‘query,’ the DNS server will do its best to resolve it, either by using Stubs, Conditional or General Forwarder, or Root Hints, which is essentially an interative query to the Root Hints to devolve the namespace from the TLD backwards (such as from “com” to the second level name, etc), or a query to a Forwarder, if configured with a Forwarder, which is essentially a recursion request because technically it’s not an iterative request, even though the server repeats (iterates or re-iterates) when trying to find the answer.

You can make nslookup perform an iterative query by using the “norecurse” option (set norecurse). In this situation the DNS server will give its best response, without looking elsewhere other than its cache or zones its authoritative for.

To go further…

“Since the DNS server called ns.someisp.com isn’t authoritative for a zone called wiremonkeys.org and hasn’t recently communicated for any host that is authoritive for it, it begins a query of its own on the user’s behalf. The process of asking one or more queries in order to answer (resolve) other queries is called recursion.”

Does that make sense so far?

So to further take it another step or to look at it in a different light…

Keep in mind, recursion is not necessarily resolution. The reasons is the process of following a chain of delegations from one set of content DNS servers to another, starting at some root servers, is termed “resolution”; as exemplified in section 6.3 of RFC 1034. It is not termed “recursion”. “Recursion” is something else. The official definition of “recursion” is the act of a server sending back-end queries (of _whatever_ sort) to another server. Both query resolution, where back-end queries are sent to content DNS servers, and forwarding, where back-end queries are sent to proxy DNS servers, are forms of recursion.

Therefore…

Resoluton can be provided many times from its own authoritative zones where no recursion involved.

A query can be resolved from its cache where no recursion involved (directly, because it’s in its cache).

By forwarding, with the forwardee doing the resolution where recursion is involved.

However if it forwards it out, it essentially becomes an interative query because it’s proxying the request elsewhere for the client, such as an indirect query for the client, but essentially this can be viewed as an recursive query by the DNS server itself acting as a recursive client.

Or DNS can perform the query resolution itself where recursion is involved. An example is when Forwarding is not enabled, and the DNS server uses the Root Hints, where essentially it’s querying the Roots in a recursive manner devolving the DNS name hierarchy from the TLD backwards.

And more…

Got it?

I hope that was easy. Next week we’ll discuss helion particles (a-particle of the helium-3 nucleus) and their mass.

Non-Sequitar: Windows Cache Poisoning Settings and Recursion Settings

Added 10/6/2010 – This stemmed from a discussion in the Microsoft forums when one was concerned with the Cache poisoning settings and recursion when the poster was told that it’s his recursion settings causing the false positive.

If you ever had an external security threat analysis performed and the results indicated that your DNS servers were open to DNS pollution and the fix was to disable recursion, this may not necessarily be necessary. This may not be an option in many scenarios, and it may not necessarily be the answer. Simply enable the “Secure cache against pollution” setting in DNS. Keep in mind, and to veer off topic for the moment, with Windows 2003 and newer,the “Secure cache against pollution” is enabled by default. In Windows 2000, it needs to be set. I think that this setting should suffice for internal needs and prevent DNS pollution for the most part, and not necessarily affect DNS performance at the same time keeping it secure based on current vulnerabilities.

If “Do not use recursion for this domain” is enabled, the DNS server will pass the query on to forwarders, but will not recursively query any other DNS servers (e.g. external DNS servers or the Root Hints) if the forwarders cannot resolve the query. This setting pretty much disables Root Hints forcing it to only rely on the Forwarders.

If Disable recursion under the Advanced Tab is checked, (which this setting completely disables forwarders), the server will attempt to resolve a query from its own database only. It will not query any additional servers. This is normally set for content only nameservers, such as for web hosting companies that also host numerous domain names for their customers but don’t want anyone else to use it as a DNS server to resolve outside names.

If this is an internal DNS server and not exposed to the internet, “Secure cache against pollution” is set, and it’s not offering public nameserver services for any public records, I think you will be find and would leave it alone using the default settings.